Tuesday, 13 May 2014

Woman’s medical records disclosed to an insurance company

Irish Times, 12th May 2014

The Data Protection Commissioner’s office dealt with 1,507 valid data
breach notifications, including the largest such breach it had ever dealt with
– the breach by the Ennis-based company Loyaltybuild (above), which processed
holiday loyalty schemes on behalf of companies all over Europe, including
Supervalu and Axa in Ireland.

The disclosure by a GP of a
woman’s medical records to an insurance company and the sending of an email
containing a patient file by another GP to an incorrect address were among the
case studies highlighted in the 2013 annual report.

Notification was also received
by the Data Protection Commissioner’s office from a medical practitioner that
their computer system had been compromised by ‘ransomware’ and that they were
unable to access their patient files.

They had received a demand for
€ 5,000 in return for the reinstatement of the data but they had informed
gardaí and had not paid the ransom. Five months worth of patient files were
lost as the practitioner also discovered the back-up files had been infected
with the rogue software.

Case studies highlighted also included a complaint against Carphone
Warehouse, after a trainee employee gave out a customer’s home
address in an “isolated” area to two individuals who claimed to have found her
mobile phone and wanted to return it to her after it was stolen and seeking a
reward for finding it.

The report said the disclosure
of the woman’s address to strangers resulted in “considerable distress”.
Regardless of the fact that the employee concerned was a trainee, this
disclosure should not have happened.

Electric Ireland
was the subject of a complaint over its ‘Feet on the Street’ marketing campaign
after a sales agent called to a former customer’s home and was in possession of
their personal details.

The Data Protection
Commissioner told Electric Ireland its processing of the information was
unlawful.

Mr Hawkes said companies
needed to “tread carefully” in the space of win-back marketing campaigns as
“without the prior marketing consent of the former customers concerned, there
is no legal basis to process marketing lists using such retained personal
data”.

It was also “disappointing”
that the telecommunications sector remained a cause of complaint given the
number of prosecutions taken against that sector in recent years for marketing
offences.

The office dealt with 1,507
valid data breach notifications, including the largest such breach it had ever
dealt with – the breach by the Ennis-based company Loyaltybuild,
which processed holiday loyalty schemes on behalf of companies all over Europe,
including Supervalu
and Axa in Ireland.

Some 61 per cent of data
breaches were the result of postal mailing breaches. The annual report said
that while a number of these were the result of mail merge issues at the
printing stage, “an unacceptably high” percentage were the result of human
error.

Complaints about unsolicited
direct marketing text messages, emails, phone calls and fax messages were 22.4
per cent of the total.

Bad customer service was
increasingly the driving force behind people making requests under the Data
Protection Acts to get access to their personal data, the commissioner’s office
said.

The 517 complaints concerning
access requests accounted for some 56.8 per cent of the total of 910 complaints
opened by the Data Protection Commissioner’s office in 2013. This was the
highest number ever received by the office in this category.

Mr Hawkes said this pointed to
the extent of the difficulties being experienced by individuals in their
efforts to exercise their rights and the barriers that some data controllers
place in their way.

“Data protection has to be a
corporate concern, a boardroom concern, with the clear direction coming from
the top of every organisation whether that’s in the public or private sector.”